From a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 25 Apr 2014 23:03:05 -0700 Subject: [PATCH 09/12] CVE-2014-0210: unvalidated length fields in fs_read_extent_info() Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Adam Jackson Reviewed-by: Matthieu Herrb --- src/fc/fserve.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/src/fc/fserve.c b/src/fc/fserve.c index 96abd0e..232e969 100644 --- a/src/fc/fserve.c +++ b/src/fc/fserve.c @@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) #endif pCI = NULL; } + else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) + / LENGTHOF(fsXCharInfo))) { +#ifdef DEBUG + fprintf(stderr, + "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", + numExtents, rep->length, + LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); +#endif + pCI = NULL; + } else pCI = malloc(sizeof(CharInfoRec) * numInfos); -- 1.7.1